DoDD 8500.1 DoDI 8500 Sponsored Documents...COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.2 5 DoDD 8500.1 COTS IA Compliance • National Security Telecommunications and Information

COMP 6370 – Supplemental – DoDD 8500.1 & DoDI 8500.21

DoDD 8500.1DoDI 8500.2

Tutorial Lecture for students pursuingNSTISSI 4011 INFOSEC Professional


Scope of DoDD 8500.1

• Information Classes:– Unclassified

– Sensitive information

– Classified

• All ISs to include:– All DoD owned or controlled information systems

– Information systems under contract to DoD

– Outsourced information based processes (ex. Thosesupporting e-commerce or e-business)

– Information systems of non-appropriated fund (NAF) activities

– Stand-alone information systems

– Mobile computing devices (i.e. laptop, PDA, handheld)


DoDD 8500.1 Policy• Information Assurance Requirements and new/upgraded systems

– According to this directive, IA requirements will be identified and included in the design, acquisition,installation, upgrade, or replacement of any information system within DoD. Also, Public KeyInfrastructure (PKI) certificates and biometrics will be incorporated into all new and upgraded systemswhenever possible.

• All DoD information systems shall maintain an appropriate level of confidentiality, integrity, authentication,non-repudiation, and availability that reflects a balance among:– the importance and sensitivity of the information and information assets– documented threats and vulnerabilities– the trustworthiness of users and interconnected systems– the impact or destruction of the system– cost effectiveness

• For IA purposes, all DoD Systems are organized and managed within 4 categories– Automated Information Systems (AIS) applications– Enclaves (includes networks)– outsourced IT-based processes– Platform IT interconnections

• IA readiness is a critical element of overall mission readiness. It will be monitored, reported, and evaluatedthroughout DoD and validated by the DoD CIO.


DoDD 8500.1 Information Assurance• DoDD 8500.1 became effective on 24 October 2002. (Certified current as of 21 Nov 2003). Its

purpose is to establish policy and assign responsibilities in order to achieve Department ofDefense (DoD) information assurance (IA). It accomplishes this by utilizing a defense-in-depthapproach that integrates the capabilities of personnel, operations, and technology, andsupports the evolution to network-centric warfare.

• This directive supercedes the following documents:– DoD Directive 5200.28 -- “Security Requirements for Automated Information Systems”

– DoD 5200.28-M -- “ADP Security Manual”

– DoD 5200.28-STD -- “DoD Trusted Computer Security Evaluation Criteria”

– DoD Chief Information Officer (CIO) Memorandum 6-8510

• It designates the Secretary of the Army as the Executive Agent for the integration of commonbiometric technologies throughout the Department of Defense.


DoDD 8500.1 COTS IA Compliance• National Security Telecommunications and Information Systems Security Policy Number 11

– NSTISSP #11 is a national security community policy governing the acquisition of information assurance (IA) and IA enabledinformation technology products. The policy was issued by the Chairman of the National Security Telecommunications andInformation Systems Security Committee (NSTISSC), now known as the Committee on National Security Systems (CNSS) inJanuary 2000 and revised in June 2003. The policy mandates, effective 1 July 2002, that departments and agencies within theExecutive Branch shall acquire, for use on national security systems, only those COTS products or cryptographic modulesthat have been validated with the International Common Criteria for Information Technology Security Evaluation, the NationalInformation Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS), or by the NationalInstitute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS)

• The objective of NSTISSP #11 is to ensure that COTS IA and IA-enabled IT products acquired by the U.S.Government for use in national security systems perform as advertised by their respective manufacturers, orsatisfy the security requirements of the intended user. To achieve this objective, the policy requires COTSproducts be evaluated and validated in accordance with either the International Common Criteria forInformation Technology Security Evaluation, or the National Institute of Standards and Technology (NIST)Federal Information Processing Standard (FIPS) 140-2. Supportive of the intent and implementation ofNSTISSP #11, the NSA and NIST have collaborated to establish the following two evaluation and validationprograms:– National Information Assurance Partnership's (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) Program

http://niap.nist.gov/cc-scheme/index.html– NIST Federal Information Processing Standard (FIPS)Cryptographic Module Validation Program (CMVP)

http://csrc.nist.gov/cryptval/cmvp.htm


8500 Series IA

Co

mp

liance

Decisio

n T

ree

** Compliance withapplicableguidance in the8500 series isrecommendedfor all othersystems with

embedded ITassets.


IA Compliance by Acq. Program Type


DoDI 8500.2 OverviewMulti-Echelon Management Structure


DoDI 8500.2 OverviewMulti-Echelon Management Structure


IA Controls (Enclosure 4, DoDI 8500.2)

• IA Control Subject Area. One of eight groups indicating the majorsubject or focus area to which an individual IA Control is assigned.(Next Slide)

• IA Control Number. A unique identifier comprised of four letters, a dash,and a number. The first two letters are an abbreviation for the subjectarea name and the second two letters are an abbreviation for theindividual IA Control name. The number represents a level ofrobustness in ascending order that is relative to each IA Control. (NextSlide)

• IA Control Name. A brief title phrase that describes the individual IAControl.

• IA Control Text. One or more sentences that describe the IA conditionor state that the IA Control is intended to achieve.


Another IA Control Example


IA Control Subject AreasEnclosure 4, DoDI 8500.2

• In the example to the right -->the control level is two (2), whichmeans there is a related IA Control,ECCT-1, that provides lessrobustness. There may also be an IAControl, ECCT-3, that providesgreater robustness.


Baseline Information Assurance Levels• Mandated DoDD 8500.1, described in DoDI 8500.2

– All DoD information systems shall be assigned a missionassurance category.

– The mission assurance category reflects the importance ofinformation relative to the achievement of DoD goals andobjectives, particularly the warfighters' combat mission.

• DOD has three defined mission assurance categories:– Mission Assurance Category I (MAC I)

• Systems handling information that is determined to be vital to theoperational readiness or mission effectiveness of deployed andcontingency forces in terms of both content and timeliness. Theconsequences of loss of integrity or availability of a MAC I systemare unacceptable and could include the immediate and sustainedloss of mission effectiveness. MAC I systems require the moststringent protection measures.


DOD has three defined missionassurance categories: (cont.)

– Mission Assurance Category II (MAC II)• Systems handling information that is important to the support of deployed

and contingency forces. The consequences of loss of integrity areunacceptable. Loss of availability is difficult to deal with and can only betolerated for a short time. The consequences could include delay ordegradation in providing important support services or commodities thatmay seriously impact mission effectiveness or operational readiness. MACII systems require additional safeguards beyond best practices to ensureadequate assurance.

– Mission Assurance Category III (MAC III)• Systems handling information that is necessary for the conduct of day-to-

day business, but does not materially affect support to deployed orcontingency forces in the short term. The consequences of loss of integrityor availability can be tolerated or overcome without significant impacts onmission effectiveness or operational readiness. The consequences couldinclude the delay or degradation of services or commodities enablingroutine activities. MAC III systems require proactive measures, techniques,or procedures generally commensurate with commercial best practices.


Mission Assurance Category SummaryDoDI 8500.2 Enclosure 3

• The baseline sets of IA controls are pre-defined based on the determination of theMission Assurance Category (MAC) and Confidentiality Levels as specified in theformal requirements documentation or by the info owner.

• IA Controls addressing availability, confidentiality, integrity, authentication and non-repudiation requirements are keyed to the system’s MAC based on the importance ofthe information to the mission, particularly the warfighters' combat mission, and onthe sensitivity or classification of the information.


Mission Assurance Category Levels for IA Controls

• IA Controls addressing confidentiality requirements are based onthe sensitivity or classification of the information. There are threeMAC levels and three confidentiality levels with each levelrepresenting increasingly stringent information assurancerequirements.


Determining Baseline IA Controls


JCIDS Process and Acquisition DecisionsCJCSI 3170.01E


JCIDS and Information Assurance

• Information Assurance - Information operationsthat protect and defend information andinformation systems by ensuring their availability,integrity, authentication, confidentiality and non-repudiation.

• This includes providing for restoration ofinformation systems by incorporating protection,detection and reaction capabilities.

• Net-ready Key Performance Parameter (NR-KPP) -(see following)